Audio Capture

Jan 10, 2023 · attack.collection attack.t1123 ·

Detects attempts to record audio with arecord utility

Sigma rule (View on GitHub)

 1title: Audio Capture
 2id: a7af2487-9c2f-42e4-9bb9-ff961f0561d5
 3status: test
 4description: Detects attempts to record audio with arecord utility
 5references:
 6    - https://linux.die.net/man/1/arecord
 7    - https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa
 8author: 'Pawel Mazur'
 9date: 2021/09/04
10modified: 2022/10/09
11tags:
12    - attack.collection
13    - attack.t1123
14logsource:
15    product: linux
16    service: auditd
17detection:
18    selection:
19        type: EXECVE
20        a0: arecord
21        a1: '-vv'
22        a2: '-fdat'
23    condition: selection
24falsepositives:
25    - Unknown
26level: low

References

https://linux.die.net/man/1/arecord

Read More
https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa

Read More

Related rules

Linux Capabilities Discovery
Processes Accessing the Microphone and Webcam
Suspicious Camera and Microphone Access
Clipboard Collection of Image Data with Xclip Tool
Clipboard Collection with Xclip Tool - Auditd